14 DAY TRIAL // The way in which images attached to Facebook posts are refreshed can be abused to conduct distributed denial-of-service (DDoS) attacks using the site's high-bandwidth servers, a security researcher found.
After Facebook added a new feature for refreshing attachment content in early June, Teofil Cojocariu, security researcher at Cyber Security Research Center in Romania (CCSIR), discovered a vulnerability that permits an attacker to perpetrate a DDoS attack through the feature.
He reported the flaw to Facebook, who came up with a fix, but Cojocariu says that although larger companies are now safe from this type of attack, smaller ones with limited bandwidth resources are still susceptible to it.
The fix from Facebook consists in making the unique identifier temporary, which permits a smaller number of refreshes. However, there is no information on the exact number of refreshes allowed.
The researcher says that an attacker could bring down a website by using a link to an image it hosts and publishing it on Facebook with Only Me privacy parameter. By refreshing the attachment, and grabbing the browser requests, the perpetrator could create a script that would force Facebook's servers to request the file repeatedly from the source, generating a lot of traffic.
Cojocariu also created a proof-of concept (PoC) script that demonstrates the attack. He says that during his tests with the PoC script the maximum bandwidth was 934.06 Mbps, but it may have been limited by the hardware used on the targeted server, which had a 1 Gbps port. He believes that there is no actual limitation on output.
A similar glitch was reported to Facebook back in April, by security researcher Chaman Thapa (also known under the online handle "chr13"), but at that time Facebook said that there was no real way to create a fix “that would stop “attacks” against small consumer grade sites without also significantly degrading the overall functionality.”
It appears that part of the problem still remains, even after the company delivered a fix for the issue reported by the Romanian security researcher.
Cojocariu discovered the vulnerability and disclosed it privately to Facebook on June 13. A day later an engineer from the company contacted him replying that the issue had been forwarded to the appropriate team.
On July 28, Facebook sent Cojocariu an email informing that a fix had been implemented on the server. Cojocariu received a $500 / €375 bug bounty award for his finding.
[UPDATE, August 21]: Facebook configured the unique identifier to change after ten refresh requests, but the company seems to have added additional protection recently.
Cojocariu tested his finding again on Thursday, and noticed that after the token expires, the image file is only partially downloaded, which would basically eliminate the risk of a DDoS attack through the refresh feature.